Please find enclosed a list of known viruses in the UK prepared by
Joe Hirst of the BCVRC, he is happy that it be distributed as widely
as possible.
Of great interest is the new Fu Manchu variant of the Israeli virus,
a virus with a slightly embarassing manipulation task!
Ps. Joe doesn't have a mail box to date but I will relay any requests,
comments or information you pass on.
D.Ferbrache
European co-ordinator
Comp.Virus
IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;
: Joe Hirst British Computer Virus Research Centre :
: 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England :
: Telephone: Domestic 0273-26105, International +44-273-26105 :
: :
: List of known PC viruses :
: :
: This list is intended to give enough information to identify a virus :
: or a variant form of a virus. It is not intended by itself to supply :
: enough information for a programmer to deal with a virus. If any virus :
: is found which does not exactly match any of the following descriptions :
: the Centre requests that a copy of the virus be sent to us, or to a :
: local researcher known to be in contact with us. :
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
1. 405
Parasitic virus - overwriting
Type description:
Virus occurs overwriting the first 405 bytes of a COM file. The virus
will attempt to infect one COM file on a different disk to the current
one. If the length of the file to be infected is less than 405 bytes,
the length will be increased to 405. Due to mistakes in the code it is
not able to infect other than in the current directory, nor is it able
to recognise an infected file.
-----------
2. Brain
Boot virus - floppy only
Type description:
This virus consists of a boot sector and three clusters (6 sectors)
marked as bad in the FAT. The first of these sectors contains the
original boot sector, and the rest contain the rest of the virus. It
only infects 360K floppies, and it occupies 7K of memory. It creates a
label on an infected disk of ' (c) Brain '. There are a number of
unused character strings which can be used to identify it:
Offset 0010H:
' Welcome to the Dungeon '
' (c) 1986 Basit & Amjad (pvt) Lt'
'd. BRAIN COMPUTER SERVICES..730 NI'
'ZAM BLOCK ALLAMA IQBAL TOWN LAHOR'
'E-PAKISTAN..PHONE :430791,443248,280530. '
' Beware of this VIRUS.....Contact us for vaccin'
'ation............... $#@%$@!! '
Offset 0202H
'(c) 1986 Basit & Amjads (pvt) Ltd '
Offset 0355H
' (c) 1986 Basit & Amjads (pvt) Ltd'
Offset 04A6H
' (c) Brain $'
Variations:
All the variations we have so far seen have only involved changes to
these character strings.
(1) Offset 0010H:
'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&'
' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 '
'Dedicated to the dynamic memories of millions of'
' virus who are no longer with us today - Thanks '
'GOODNESS!! BEWARE OF THE er..VIRUS : \thi'
's program is catching program follows after'
' these messeges..... $#@%$@!! '
Offset 0202H
'(c) 1986 Brain & Amjads (pvt) Ltd '
Offset 0355H
' (c) 1986 Brain & Amjads (pvt) Ltd'
Offset 04A6H
' (c) ashar $'
(2) As variation 1 except 'D.C.L' is changed to 'Brain' in string at offset
0010H
(3) As variation 2 except 'Brain' is changed to 'Jork ' in string at offset
0202H
-----------
3. Cascade - AKA 1701, 1704
Parasitic virus - resident
Type description:
The virus occurs attached to the end of a COM file. COM files increase
in length by 1701 bytes. The first three bytes of the program are
stored in the virus, and replaced by a branch to the beginning of the
virus. The virus is encrypted (apart from the first 35 bytes) using an
algorithm that includes the length of the host program, so every sample
looks different. It becomes memory-resident when the first infected
program is run, and it will then infect every COM file run (even if the
file has an EXE extension). If the system date is between October and
December 1988 the cascade display will be activated at random
intervals. The virus tests the BIOS for the string 'COPR. IBM', and
will not infect if it finds this - however there are errors in the code
which prevent it from working. Because recognition depends on the
length of the virus, it will infect programs already infected by
variants with different lengths.
Variations:
(1) COM files increase in length by 1704 bytes. The only differences are
the removal of a conditional jump (which would never have been taken),
and some necessary segment overrides on the BIOS tests missing in the
previous version. There is still a mistake preventing an IBM machine
from being recognised.
-----------
4. Datacrime - AKA 1168
Parasitic virus - non-resident
Type description:
The virus occurs attached to the end of a COM file. COM files increase
in length by 1168 bytes. The first three bytes of the program are
stored in the virus, and replaced by a branch to the beginning of the
virus. The virus will search through full directory structure of the
disks (in the order C, D, A, B) for a COM file other than COMMAND.COM.
It will also ignore any COM file if the 7th letter of the name is a D.
If the date is after 12 October (any year) it will display the message:
'DATACRIME VIRUS'
'RELEASED: 1 MARCH 1989'
and do a low level format on track zero, all heads, of the hard disk.
Due to mistakes in the code the system is almost certain to crash the
first time the critical error handler is invoked after the virus
terminates.
-----------
5. Dbase [report only - no sample]
Parasitic virus - resident
Type description:
Infects COM and EXE files. Transposes random bytes of any open .DBF
file, keeping a record of which bytes in a hidden file (BUG.DAT) in the
same directory. The virus restores these bytes if the file is read.
If the BUG.DAT file is 90 days old or more the FAT and root directory
are overwritten.
-----------
6. Den Zuk - AKA Search [report only - no sample]
Boot virus - floppy only
Type description:
Graphics display of 'DEN ZUK', together with the AT&T logo, slides in
from the sides of the screen on bootup. After five such bootups the
disk is trashed - no details of how.
-----------
7. Fu Manchu
Parasitic virus - resident
Type description:
The virus occurs attached to the beginning of a COM file, or the end of
an EXE file. It is a rewritten version of the Jerusalem virus, and
most of what is said for that virus applies here with the following
changes:
a. The code to delete programs, slow down the machine, and display
the black 'window' has been removed, as has the dead area at
the end of the virus and some sections of unused code.
b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU'
is now 'sAX' (Sax Rohmer - creator of Fu Manchu).
c. COM files now increase in length by 2086 bytes & EXE files 2080
bytes. EXE files are now only infected once.
d. One in sixteen times on infection a timer is installed which
runs for a random number of half-hours (maximum 7.5 hours). At
the end of this time the message 'The world will hear from me
again!' is displayed in the centre of the screen and the
machine reboots. This message is also displayed every time
Ctrl-Alt-Del is pressed on an infected machine, but the virus
does not survive the reboot.
e. There is further code which activates on or after the first of
August 1989. This monitors the keyboard buffer, and makes
derogatory additions to the names of politicians (Thatcher,
Reagan, Botha & Waldheim), censors out two four-letter words,
and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun
line!' All these additions go into the keyboard buffer, so
their effect is not restricted to the VDU. All messages are
encryted.
-----------
8. Italian - AKA Pingpong
Boot virus - DOS boot sector
Type description:
This virus consists of a boot sector and 1 cluster (2 sectors used)
marked as bad in the first copy of the FAT. The first of these sectors
contains the rest of the virus, and the second contains the original
boot sector. It infects all disks which have at least two sectors per
cluster, and it occupies 2K of memory. It displays a single character
'bouncing ball' which interacts with some characters on the screen. It
will not run on an 80286 or an 80386 machine.
-----------
9. Jerusalem - AKA 1813, Friday the 13th, PLO, Israeli
Parasitic virus - resident
Type description:
The virus occurs attached to the beginning of a COM file, or the end of
an EXE file. A COM file also has the five-byte 'marker' attached to
the end. This marker is usually (but not always) 'MsDos', and is
preceeded in the virus by 'sU'. COM files increase in length by 1813
bytes. EXE files usually increase by 1808 bytes, but the displacement
at which to write the virus is taken from the length in the EXE header
and not the actual length. This means that part or all of this 1808
bytes may be overwritten on the end of the host program. It becomes
memory-resident when the first infected program is run, and it will
then infect every program run except COMMAND.COM. COM files are
infected once only, EXE files are re-infected each time they are run.
After the system has been infected for thirty minutes an area of the
screen from row 5 column 5 to row 16 column 16 is scrolled up two lines
creating a black two line 'window'. From this point a time-wasting
loop is executed with each timer interrupt. If the system was infected
with a system date of Friday the thirteenth, every program run will be
deleted instead. This will continue irrespective of the system date
until the machine is rebooted. The end of the virus, from offset
0600H, is rubbish and will vary from sample to sample.
Variations:
(1) [report only - no sample]
This is almost certainly an earlier variant. The string 'sUMsDos' in
the type version is 'sURIV 3.00' in this version, the 30 minute delay
is here 30 seconds, and there is a bug in the program delete.
(2) [report only - no sample]
This is probably the first version. Only COM files are infected, and
the target date is 1st April. When target date is reached, the trojan
element is triggered the first time an uninfected file is infected by
the memory-resident virus. This produces the message 'APRIL 1ST HA HA
HA YOU HAVE A VIRUS', and the machine locks. Identifying string is
'sURIV 1.01'.
(3) [report only - no sample]
As variation 2, but only infects EXE files. Trojan is triggered first
time an infected file is run on 1st April. Additionally, machine locks
one hour after infection if default date of 1-1-80 is used. Virus
infects file only once. Identifying string is 'sURIV 2.01'.
-----------
10. Lehigh [report only - no sample]
Parasitic virus - overwriting
Type description:
Infects only COMMAND.COM, where it overwrites the stack space. If a
disk which contains an uninfected copy of COMMAND.COM is accessed, that
copy is also infected. A count of infections is kept within each copy
of the virus, and when this count reaches 4 every disk (including hard
disks) currently in the computer is trashed by overwriting the initial
tracks (boot sector & FAT). Infection changes the date and time of the
infected file. If a floppy with an uninfected COMMAND.COM is write-
protected, there will be a 'WRITE PROTECT ERROR' message from DOS.
-----------
11. New Zealand - AKA Stoned, Marijuana
Boot virus - master boot sector
Type description:
This virus consists of a boot sector only. It infects all disks, and
it occupies 1K of memory. The original boot sector is held in track
zero, head one, sector three on a floppy disk, and track zero head
zero, sector two on a hard disk. The boot sector contains two
character strings: 'Your PC is now Stoned!' & 'LEGALISE MARIJUANA!'.
The first of these is only displayed one in eight times when booting
from an infected floppy, the second is unreferenced.
Variations:
(1) Much of the code has been reorganised. The only significant change is
that the original boot sector is stored at track zero, head zero,
sector seven on a hard disk. The second string is not transfered when
infecting a hard disk.
-----------
12. Oropax - AKA Music virus [report only - no sample]
Parasitic virus - resident
Type description:
Infects COM files, length increases by 2756-2806 bytes, so that total
length is divisible by 51. Becomes active (randomly) five minutes
after infection, playing three different tunes with a seven minute
interval.
-----------
13. Pentagon
Boot virus - floppy only
Type description:
Virus is possibly an honorary term, at least for this sample, as all
attempts to run it have so far failed. The following describes what
would happen if it did work (as future samples might).
This virus consists of a boot sector and two files. The boot sector is
a normal PCDOS 3.20 boot sector with three changes:
1. The OEM name 'IBM' has been changed to 'HAL'.
2. The first part of the virus code overwrites 036H to 0C5H.
3. 100H-122H has been overwritten by a character string.
The name of the first file is the hex character 0F9H. This file
contains the rest of the virus code followed by the original boot
sector. The name of the second file is PENTAGON.TXT. This file does
not appear to be used in any way or contain any meaningful data. Both
files are created without the aid of DOS, and the first file is
accessed by its stored absolute location. Four different sections of
the virus are separately encrypted:
1. 004AH - 004BH, key 0ABCDH - load decryption key
2. 0059H - 00C4H, key 0FCH - rest of virus code in boot sector.
3. 0791H - 07DFH, key 0AAH - the file name and copyright message.
4. 0800H - 09FFH, key 0FCH - the original boot sector.
The virus will survive a warm boot (Ctrl-Alt-Del). It only infects
360K floppies, and it will look for and remove Brain from any disk that
it infects. It occupies 5K in memory.
-----------
14. Vienna - AKA 648, Austrian, Unesco
Parasitic virus - non-resident
Type description:
The virus occurs attached to the end of a COM file. COM files increase
in length by 648 bytes. The first three bytes of the program are
stored in the virus, and replaced by a branch to the beginning of the
virus. The virus looks for, and infects, one COM file - either in the
current directory or in one of the directories on the PATH. One in
eight files 'infected' does not get a copy of the virus. Instead the
first five bytes of the program are replaced by a far jump to the BIOS
initialization routine.
Variations:
(1) This is the version published in Ralf Burger's book 'Computer Viruses:
A High-Tech Disease'. An error has been introduced which disables the
virus's ability to search through the PATH, and the far jump has been
replaced by five spaces.
-----------
15. Yale - AKA Alameda, Merritt
Boot virus - floppy only
Type description:
This virus consists of a boot sector only. It infects floppies in the
A-drive only and it occupies 1K of memory. The original boot sector is
held in track thirty-nine, head zero, sector eight. It hooks into INT
9, and only infects when Ctrl-Alt-Del is pressed. It will not run on
an 80286 or an 80386 machine, although it will infect on such a
machine. It has been assembled using A86. It contains code to format
track thirty-nine, head zero, but this has been disabled.
-----------